Merge pull request #39 from salt-formulas/pr/fix_salt_ca_trust
fix, ca crt rollout for trusted_ca_minions
diff --git a/salt/minion/cert.sls b/salt/minion/cert.sls
index e25534e..7f63d4e 100644
--- a/salt/minion/cert.sls
+++ b/salt/minion/cert.sls
@@ -1,6 +1,13 @@
{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}
+
+{%- if grains.os_family == 'RedHat' %}
+{%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}
+{%- else %}
+{%- set cacerts_dir='/usr/local/share/ca-certificates' %}
+{%- endif %}
+
{%- if minion.cert is defined %}
{%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
@@ -12,11 +19,6 @@
{%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
{%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
{%- set ca_dir = ca_file|replace(ca_file.split('/')[-1], "") %}
-{%- if grains.os_family == 'RedHat' %}
-{%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}
-{%- else %}
-{%- set cacerts_dir='/usr/local/share/ca-certificates' %}
-{%- endif %}
{# Only ensure directories exists, don't touch permissions, etc. #}
salt_minion_cert_{{ cert_name }}_dirs:
@@ -177,8 +179,13 @@
- pkg: salt_ca_certificates_packages
{%- if minion.get('cert', {}).get('trust_salt_ca', 'True') %}
-{%- for ca_host, certs in salt['mine.get']('*/ca*', 'x510.get_pem_entries').iteritems() %}
+
+{%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}
+{%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}
+
{%- for ca_path, ca_cert in certs.iteritems() %}
+{%- if not 'ca.crt' in ca_path %}{% continue %}{% endif %}
+
{%- set cacert_file="ca-"+ca_path.split("/")[4]+".crt" %}
salt_cert_{{ cacerts_dir }}/{{ cacert_file }}:
@@ -194,6 +201,7 @@
{%- endfor %}
{%- endfor %}
+{%- endfor %}
{%- endif %}
{%- endif %}
diff --git a/tests/pillar/minion_pki_cert.sls b/tests/pillar/minion_pki_cert.sls
index 14b0194..4fe855c 100644
--- a/tests/pillar/minion_pki_cert.sls
+++ b/tests/pillar/minion_pki_cert.sls
@@ -9,6 +9,8 @@
minion:
enabled: true
cert:
+ trusted_ca_minions:
+ - cfg01
ceph_cert:
alternative_names:
IP:127.0.0.1,DNS:salt.ci.local,DNS:ceph.ci.local,DNS:radosgw.ci.local,DNS:swift.ci.local